Firewall Wizards mailing list archives
RE: Link level security with static arp tables
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 15 Oct 2003 16:11:56 +0200
-----Original Message-----
[Magosanyi Arpad]
If real authentication, integrity and confidentality is needed, I would do IPSEC. Any other (or same) ideas?
[This is Paul] [Strong reservations expressed, but IPSec is]
a viable alternative, as is a gateway between user segments and backbones simlar to those found in airports and coffee shops isn't all that bad an idea (or an authenticating firewall...)
I know....how about SOCKS! Seriously, we're just indulging in over-engineering here. However, if I were doing it for a strong security environment I have grave concerns about IPSec. Hard to install, hard to maintain, ugly protocol at the best of times and at the basic level it only does machine-level authentication. The Microsoft IPSec/Kerberos implementation is a better approach, but we all know there are lots of interop and fast-and-loose standards problems. At least it tries to authenticate the user and the station, which is a big step in the right direction. Frankly, in a real world environment that needed strong security along these lines I would apply a combination of good physical security, no active unused wall-points and the switch Port/MAC thing. All external access would be via a proxy which can authenicate each user. A circuit level gateway really is a good match for this problem. If only SOCKS didn't suck. :) If I can't have any physical security I vote for 802.1x over IPSec. The problem with the IPSec thing is that the attacker is physically able to see and interfere with traffic and we rely on our technical controls to deal with it from there. 802.1x starts with the port in a null VLAN where the attacker sees nothing. I am not aware of how PEAP is "known broken" for this kind of application (assuming one takes just a little care), and I'm not sure it will go away. If anyone has any good stuff to point me at I'd be interested in discussing this aspect further. I am, of course, familiar with the IETF draft. [1] I agree that I much prefer EAP-TTLS [2], since it's a cleaner design, but "word on the street" has it that PEAP is looking more likely to emerge as market victor. ben [1] http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-03.txt [2] http://www.ietf.org/internet-drafts/draft-ietf-pppext-eap-ttls-03.txt _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Link level security with static arp tables Debian User (Oct 13)
- Re: Link level security with static arp tables Luke Butcher (Oct 14)
- Re: Link level security with static arp tables Magosányi Árpád (Oct 15)
- Re: Link level security with static arp tables Paul Robertson (Oct 15)
- RE: Link level security with static arp tables Ben Nagy (Oct 15)
- RE: Link level security with static arp tables R. DuFresne (Oct 15)
- Re: Link level security with static arp tables Bennett Todd (Oct 15)
- Re: Link level security with static arp tables Magosányi Árpád (Oct 15)
- Re: Link level security with static arp tables Luke Butcher (Oct 14)
- <Possible follow-ups>
- RE: Link level security with static arp tables Sloane, David (Oct 14)